[gelöst] Port-Weiterleitung

Hallo,

ich habe folgendes Problem:

Ich will von meinem Rechner aus per VNC auf die Clients hinter einem Suse 9.3 Linux Server kommen.

Wir haben ein VPN von unserer Firma zu dem Kunden aufgebaut und das Routing ist auch so konfiguriert, dass ich bis auf den Server komme:

eth0 192.168.0.1
eth1 10.0.4.2

Router: 10.0.4.100

per Ping komme ich auch auf 10.0.4.2 aber nicht auf 192.168.0.1

IP-Weiterleitung ist aktiviert
Port-Freigabe für 5900 ist in der Firewall aktiviert

Ich möchte nun direkt auf den Rechner 192.168.0.10 kommen ohne vorher über den Server zu müssen.

Im Router habe ich eine Port-Weiterleitung auf 192.168.0.10:5900 eingerichtet.

Muß ich auf dem Linux-Server auch den Port-Weiterleiten und wenn ja wie muß ich das machen?

Ralf

Wenn der kein NAT macht dann muß 'nur' das Routing korrekt konfiguriert sein. Kennt der Router eine Route in das 192er Netz ? Ich nehme an im 192er Netz ist der Linux Server das Standardgateway.

ja der Router hat eine Route ins 192er Netz und der Server ist Standard-Gateway für die Clients.

Masquerading habe ich auf dem Server aktiviert.

Ich denke ich muß eine Port-Weiterleitung, so wie auf dem Hardware-Router auch auf dem Linux-Server konfigurieren, oder ist dieser Ansatz falsch?

Ralf

admin33 schrieb:

Masquerading habe ich auf dem Server aktiviert.

Zum Vergrößern anklicken....

Dann muß da eine Port-Weiterleitung rein weil wegen Masquerading ja sonst keine eingehenden Verbindungen möglich sind. Und als Ziel für die Portweiterleitung auf dem Router muß dann die externe IP-Adresse des Linux-Servers verwendet werden.

Wie und wo muß ich das machen ?

Ich habe da bisher noch nichts gefunden.

Verwendest Du die SuSEFirewall2 ? Wenn ja dann schau mal in deren Konfigurationsdatei rein und lies Dir die Kommentare zu den einzelnen Punkten durch.

Masquerading ist eine Sorte von SNAT, während das gesuchte Feature DNAT ist... also scharf nachdenken!

Schon klar daß das eine für eingehende und das andere für ausgehende Verbindungen ist. Was anderes wurde auch nie behauptet. Wenn der Linux-Rechner Masquerading macht dann ist ein Rechner im maskierten Netz nicht vom Router aus via portforwarding erreichbar außer es wird auch auf dem Linux-Rechner portforwarding zusärtzlich gemacht.

Martin Breidenbach schrieb:

Verwendest Du die SuSEFirewall2 ? Wenn ja dann schau mal in deren Konfigurationsdatei rein und lies Dir die Kommentare zu den einzelnen Punkten durch.

Zum Vergrößern anklicken....

vielen Dank für die Anmerkungen bisher. Aber kann mir bitte Jemand genau sagen, was ich wo einstellen muß, ohne dass ich vorher die ganze Config-Datei durchlesen muß?

Danke vorab
Ralf

Aber kann mir bitte Jemand genau sagen, was ich wo einstellen muß, ohne dass ich vorher die ganze Config-Datei durchlesen muß?

Zum Vergrößern anklicken....

Wasch mir den Pelz, aber mach mich nicht nass?

Wenn Du nicht mal in der Lage bist, die bisherigen Einstellungen/Konfigurationsdateien zu posten, dann ist die Erwartungshaltung etwas seltsam, dass man Dir hier die Loesung auf dem Silbertablett praesentiert, da man ja mangels verwertbarer Informationen Deinerseits nicht einmal weiss, wo man einen Fehler zu suchen hat.

Die einfachste Loesung bei dieser Haltung ist es, sich jemanden zu suchen, der das professionell gegen gutes Geld macht und Motivation und Ahnung mitbringt und dieser Person dann auch fuer gute Arbeit gutes Geld zu bezahlen.

Greetz,

RM

Rain_Maker schrieb:

Aber kann mir bitte Jemand genau sagen, was ich wo einstellen muß, ohne dass ich vorher die ganze Config-Datei durchlesen muß?

Zum Vergrößern anklicken....

Wasch mir den Pelz, aber mach mich nicht nass?

Wenn Du nicht mal in der Lage bist, die bisherigen Einstellungen/Konfigurationsdateien zu posten, dann ist die Erwartungshaltung etwas seltsam, dass man Dir hier die Loesung auf dem Silbertablett praesentiert, da man ja mangels verwertbarer Informationen Deinerseits nicht einmal weiss, wo man einen Fehler zu suchen hat.

Die einfachste Loesung bei dieser Haltung ist es, sich jemanden zu suchen, der das professionell gegen gutes Geld macht und Motivation und Ahnung mitbringt und dieser Person dann auch fuer gute Arbeit gutes Geld zu bezahlen.

Greetz,

RM

Zum Vergrößern anklicken....

Schade, ich dachte hier könnte man mir helfen. Aber es gibt anscheinend noch immer Leute die glauben Sie müssten Andere nach ihrem gutdünken erziehen.

Ich hatte ein sachliche Frage gestellt. Mehr nicht!!!

Hallo Admin33,

glaub mir, man würde Dir helfen, man hat ja auch bereits begonnen damit.

Allerdings ist es näherungsweise unmöglich, Dir zu helfen, wenn von Dir keine verwertbaren Infos kommen. Die Leute, die Dir helfen wollen, haben schließlich keinen Zugriff auf Dein System und können nicht einfach ablesen, was dort los ist. Also ist es hier ein wenig wie beim Lotto: Kaufst Du keinen Schein, kannst Du nicht gewinnen. Gibst Du keine Infos über Dein System und Deine Konfigurationen heraus, wirst Du wenig nützliche Tips erwarten dürfen...

Und ein wenig Eigeninitiative - sprich: das "Durchlesen" einer Konfigurationsdatei - wird man immer voraussetzen, da darf es Dir nicht sauer aufstoßen, wenn man Dir genau das nahelegt.

Ich würde mutmaßen - mehr als Spekulation ist es nicht, da auch ich keine Glaskugel habe - daß Du, genau wie angeregt, die Einstellungen in Deiner Firewall überprüfen solltest. Habe selbst ein openVPN am Laufen und kann vom Client auf die Rechner im LAN zugreifen - aber erst, seit dem ich in besagter Firewall-Konfigurationsdatei die notwendigen Änderungen vorgenommen habe.

Also - nicht verzagen, nicht verzweifeln, Infos liefern, dann wirst Du sehen: Hilfe ist nicht fern!

Gruß Greg

G aus W schrieb:

Hallo Admin33,

glaub mir, man würde Dir helfen, man hat ja auch bereits begonnen damit.

Allerdings ist es näherungsweise unmöglich, Dir zu helfen, wenn von Dir keine verwertbaren Infos kommen. Die Leute, die Dir helfen wollen, haben schließlich keinen Zugriff auf Dein System und können nicht einfach ablesen, was dort los ist. Also ist es hier ein wenig wie beim Lotto: Kaufst Du keinen Schein, kannst Du nicht gewinnen. Gibst Du keine Infos über Dein System und Deine Konfigurationen heraus, wirst Du wenig nützliche Tips erwarten dürfen...

Und ein wenig Eigeninitiative - sprich: das "Durchlesen" einer Konfigurationsdatei - wird man immer voraussetzen, da darf es Dir nicht sauer aufstoßen, wenn man Dir genau das nahelegt.

Ich würde mutmaßen - mehr als Spekulation ist es nicht, da auch ich keine Glaskugel habe - daß Du, genau wie angeregt, die Einstellungen in Deiner Firewall überprüfen solltest. Habe selbst ein openVPN am Laufen und kann vom Client auf die Rechner im LAN zugreifen - aber erst, seit dem ich in besagter Firewall-Konfigurationsdatei die notwendigen Änderungen vorgenommen habe.

Also - nicht verzagen, nicht verzweifeln, Infos liefern, dann wirst Du sehen: Hilfe ist nicht fern!

Gruß Greg

Zum Vergrößern anklicken....

Danke Greg für deine aufmunternden Worte!

Also meine Umgebung sieht wie folgt aus:

Lancom-Router
mit 10.0.4.100

Suse-Linux-9.3 Server mit 2 Netzwerkkarten:

eth0 192.168.0.1 (internes Netz)
eth1 10.0.4.2 (externes Netz)

Windows-Clients mit Win2000 und WinXP

SuSEFirewall2 mit folgender Konfiguration:

## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
## Default: any
#
# 2.)
# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "auto" means to use the device of the default
# route. "auto" cannot be mixed with other interface names.
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external. Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT="eth-id-00:02:44:25:67:81"

## Type: string
#
# 3.)
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
#
FW_DEV_INT="eth-id-00:02:44:32:c9:cd"

## Type: string
#
# 4.)
# Which are the interfaces that point to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected
# to the firewall, and should be reachable from the internet to
# provide services, e.g. WWW, Mail, etc. and hence is at risk from
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
# example.
#
# Note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Format: space separated list of interface or configuration names
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
#
FW_DEV_DMZ=""

## Type: yesno
## Default: no
#
# 5.)
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="yes"

## Type: yesno
## Default: no
#
# 6.)
# Do you want to masquerade internal networks to the outside?
#
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
#
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE="yes"

## Type: string
## Default: $FW_DEV_EXT
#
# 6a.)
# You must also define on which interfaces to masquerade on. Those
# are usually the same as the external interfaces. Most users can
# leave the default.
#
# Examples: "ippp0", "$FW_DEV_EXT"
#
FW_MASQ_DEV="$FW_DEV_EXT"

## Type: string
## Default: 0/0
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[ort]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
#
FW_MASQ_NETS="192.168.0.0/24"

## Type: yesno
## Default: no
#
# 7.)
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.
#
# defaults to "yes" if not set
#
FW_PROTECT_FROM_INT="no"

## Type: string
#
# 9.)
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
FW_SERVICES_EXT_TCP="3000 5800 5900 ssh"

## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# see comments for FW_SERVICES_EXT_TCP
#
# Example: "53"
#
FW_SERVICES_EXT_UDP=""

## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing which END at the firewall
#
# Example: "esp"
#
FW_SERVICES_EXT_IP=""

## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore may be able
# to have SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
FW_SERVICES_EXT_RPC=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""

## Type: string
#
# Packets to silently drop without log message
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_DROP_EXT=""

## Type: string
## Default: 0/0,tcp,113
#
# Packets to silently reject without log message. Common usage is
# TCP port 113 which if dropped would cause long timeouts when
# sending mail or connecting to IRC servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_REJECT_EXT="0/0,tcp,113"

## Type: string
## Default: 0/0,tcp,113
#
# Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,22"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_ACCEPT_EXT=""

## Type: string
#
# 10.)
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal or
# external) and the services (tcp,udp,icmp) they are allowed to use. This can
# be used instead of FW_SERVICES_* for further access restriction. Please note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

## Type: string
## Default:
#
# 11.)
# Specify which ports are allowed to access unprivileged ports (>1023)
#
# Format: yes, no or space separated list of ports
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname). Note that this is easy to circumvent! The best choice is to
# keep this option unset or set to 'no'
#
# defaults to "no" if not set (good choice)
#
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""

## Type: string
## Default:
#
# See FW_ALLOW_INCOMING_HIGHPORTS_TCP
#
# defaults to "no" if not set (good choice)
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""

## Type: string
#
# 13.)
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# The only flag currently supported is 'ipsec' which means to only
# match packets that originate from an IPsec tunnel
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
FW_FORWARD=""

## Type: string
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsitent iptables behaviour only port numbers are possible but
# no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""

## Type: string
#
# 15.)
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
# to additionally open the local port
FW_REDIRECT=""

## Type: yesno
## Default: yes
#
# 16.)
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type: yesno
## Default: no
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"

## Type: yesno
## Default: yes
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests, access to high
# udp/tcp port and forwarded pakets.
#
# defaults to "yes" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type: yesno
## Default: no
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"

## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# only change this if you know what you are doing!
FW_LOG=""

## Type: yesno
## Default: yes
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

## Type: yesno
## Default: no
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# Choices "yes" or "no", if not set defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

## Type: yesno
## Default: yes
#
# 19.)
# Allow the firewall to reply to icmp echo requests
#
# defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"

## Type: yesno
## Default: no
#
# 19a.)
# Allow hosts in the dmz to be pinged by internal and external hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ="no"

## Type: yesno
## Default: no
#
# 19b.)
# Allow external hosts to be pinged from internal or dmz hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT="no"

##
# END of /etc/sysconfig/SuSEfirewall2
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

## Type: yesno
## Default: yes
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""

## Type: string(yes,no)
#
# 22.)
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT=""

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT=""

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ=""

## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"

## Type: yesno
## Default: no
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""

## Type: string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""

## Type: string
#
# 27.)
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# 28.)
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets. This is the default if stateful matching is
# not available.
#
# - reject: reject all IPv6 packets
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether your kernel supports stateful matching.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# 28a.)
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""

## Type: list(yes,no,int,ext,dmz)
## Default: no
#
# 29.)
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"

## Type: string
## Default:
#
# 30.)
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""

Vielen Dank vorab für eure Bemühungen.
Ralf

Hallo Ralf,

kleine Bitte vorweg: Solche langen Ausgaben bitte mit "Code"-Tags versehen. Also:

[/code].

Und schon wird's übersichtlich... 8)

Und nun zu Deiner Frage: Mir scheint ein Routing-Eintrag zu fehlen unter Punkt 13. Der Server muß doch wissen, daß er zwischen den beiden Netzwerkschnittstellen (also LAN und VPN) routen muß.

Würde da nicht ein Eintrag wie folgt hingehören:


Danach Firewall neu starten, und testen.

Gruß Greg

@Greg, das war's. vielen Dank!!!
Ralf

Hallo Ralf,

siehst Du - so schnell kann's gehen, wenn man weiß, wo man suchen muß...

Freut mich, daß ich habe helfen können.

Sei bitte noch so gut und markiere den Ursprungsbeitrag noch als [gelöst].

Alles Gute!

Greg